An .apk is a super-set of a .jar, and uses the standard Java certificate and signing mechanisms in a .jar. If you are concerned about this being broken... well, not sure what to say. :}
On Fri, Oct 8, 2010 at 6:00 AM, DanH <[email protected]> wrote: > I may have misinterpreted. Presumably there's a checksum of the APK > data in the signed certificate. I would assume (hope) that's a > cryptographically strong checksum. (If not, the entire Android > platform is in jeopardy.) > > If one wants a sure "signature" (in a generic sense) that uniquely and > reliably identifies a SPECIFIC version of code, that cryptographic > checksum would be what you want (though I don't know how you'd access > that). Otherwise, the public key (which Diane has finally explained > is what the package "signature" is) is a secure, reliable way to > identify the publisher (and, with the package name, the specific app > (though not it's version)). > > There's no point in creating a separate CRC32 over the app, to use as > an identity to send back to a server or whatever. > > On Oct 8, 6:21 am, Mark Murphy <[email protected]> wrote: > > What CRC32 checksum? > > > > Trevor Johns, in a discussion of LVL, offered up CRC32 as a means of > > helping detect tampering, but that was simply an example. Otherwise, I > > am coming up with zero references to the use of CRC32 with respect to > > APKs. > > > > Do you have a pointer to somewhere in the open source code where they > > are using a CRC32 checksum in this fashion? > > > > Thanks! > > > > On Fri, Oct 8, 2010 at 7:12 AM, DanH <[email protected]> wrote: > > > What I mean is that if the bad actor can manipulate the apk bytes > > > while still maintaining the same checksum, then the whole scheme is > > > insecure -- there's no point in having it signed. A CRC32 checksum is > > > easily spoofed -- the apk bytes need to be checksummed with a > > > cryptographic checksum of some sort. > > > > -- > > Mark Murphy (a Commons Guy)http://commonsware.com| > http://github.com/commonsguyhttp://commonsware.com/blog|http://twitter.com/commonsguy > > > > Warescription: Three Android Books, Plus Updates, One Low Price! > > -- > You received this message because you are subscribed to the Google > Groups "Android Developers" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected]<android-developers%[email protected]> > For more options, visit this group at > http://groups.google.com/group/android-developers?hl=en > -- Dianne Hackborn Android framework engineer [email protected] Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
